Re: Filters giving odd errors

Sat, 15 Aug 2020 08:40:08 -0700

I think it had something to do with missing RPKI, even though it was in filters and other things related to that. Now I'm not getting that error anymore anywhere after You fixed the template. :) 

On 15/08/2020 0.16, Brooks Swinnerton wrote:
I think Maria means sharing the smallest possible configuration that still reproduces the problem. If the problem is a result of the filters, then keeping those in place to help debug. 


I'd also be happy to try and debug your configuration as a whole (I 
wrote https://github.com/neptune-networks/peering 
<https://github.com/neptune-networks/peering> so I'm a bit familiar 
with what the generator is intended to do). If you do decide to share 
the full config, please don't post it in the contents of the email as 
it can get truncated and the line numbers will be mixed up. Perhaps a 
Gist or pastebin would help here.


Regarding:

> P.S I need to find a guide on how to do bird2 and RPKI as well.


I've written about this in 
https://brooks.sh/2019/11/11/validating-bgp-routes-with-rpki-in-bird/ 
<https://brooks.sh/2019/11/11/validating-bgp-routes-with-rpki-in-bird/>, 
which was in part the inspiration for the repository you're using to 
generate your BIRD configuration. Hope that helps.



On Fri, Aug 14, 2020 at 3:44 PM Skyler Mäntysaari <[email protected] 
<mailto:[email protected]>> wrote:


    I'm using version 2.0.7, running on Ubuntu 20.04.

    Do you mean minimal config regarding the filters or the whole thing?

    On Fri, Aug 14, 2020, at 02:15, Maria Matejka wrote:

    I'm unable to reproduce the reported behavior. Could you please
    try to
    reduce your config to a minimum config that would reproduce this
    behavior? What version are you using?

    Thanks,
    Maria

    On 8/13/20 5:46 PM, Skyler Mäntysaari wrote:
    > Line 360 is the prefix_is_bogon if statement.
    >
    > The bogon lists can be seen from:
    >
    
https://github.com/neptune-networks/peering/blob/master/out/router.fqdn.example/bird.conf#L36-L84
    
<https://github.com/neptune-networks/peering/blob/master/out/router.fqdn.example/bird.conf#L36-L84>
    >
    > -----------------------------------------------------------
    >    if prefix_is_bogon() then
    >      reject "prefix is bogon - REJECTING ", net;
    > -----------------------------------------------------------
    > function prefix_is_bogon() {
    >    if net.type = NET_IP4 then
    >      if net ~ BOGONS_4 then return true;
    >    if net.type = NET_IP6 then
    >      if net ~ BOGONS_6 then return true;
    >    return false;
    > }
    > -----------------------------------------------------------
    >
    > P.S Please do not reply to me directly, but to the list.
    >
    > On 13/08/2020 18.41, Maria Matějka wrote:
    >> Hello!
    >> The error message tells you that you are passing something
    strange to
    >> the condition on line 360. What do you have on line 360?
    >> Maria
    >>
    >> On August 13, 2020 4:46:12 PM GMT+02:00, "Skyler Mäntysaari"
    >> <[email protected] <mailto:[email protected]>> wrote:
    >>
    >>     Hi there,
    >>
    >>     I'm using the template from
    >>
    
https://github.com/neptune-networks/peering/blob/master/out/router.fqdn.example/bird.conf
    
<https://github.com/neptune-networks/peering/blob/master/out/router.fqdn.example/bird.conf>

    >>     for my filters, and I'm getting argument related errors in
    logs.
    >>
    >>     What's the issue with those filters?
    >>
    >>     P.S I need to find a guide on how to do bird2 and RPKI as
    well.
    >>
    >>     Logs:
    >>
    ------------------------------------------------------------------------
    >>     2020-08-13 17:37:47 <ERR> filters, line 360: Argument 1 of
    instruction
    >>     FI_CONDITION must be of type T_BOOL, got 0x00
    >>     2020-08-13 17:37:47 <ERR> filters, line 360: Argument 1 of
    instruction
    >>     FI_CONDITION must be of type T_BOOL, got 0x00
    >>     2020-08-13 17:37:47 <ERR> filters, line 360: Argument 1 of
    instruction
    >>     FI_CONDITION must be of type T_BOOL, got 0x00
    >>     2020-08-13 17:37:47 <ERR> filters, line 360: Argument 1 of
    instruction
    >>     FI_CONDITION must be of type T_BOOL, got 0x00
    >>     2020-08-13 17:37:47 <ERR> filters, line 360: Argument 1 of
    instruction
    >>     FI_CONDITION must be of type T_BOOL, got 0x00
    >>     2020-08-13 17:37:47 <ERR> ...
    >>
    ------------------------------------------------------------------------
    >>     Bird config, the filter functions:
    >>
    ------------------------------------------------------------------------
    >>     # --- Filters (technically functions) ---
    >>     function default_import() {
    >>         if bgp_path.len > 32 then
    >>           reject "AS_PATH len [", bgp_path.len ,"] longer than
    32 - REJECTING
    >>     ", net;
    >>
    >>         if prefix_is_in_global_blacklist() then
    >>           reject "prefix is in global blacklist - REJECTING ",
    net;
    >>
    >>         if is_own_prefix() then
    >>           reject "prefix is our own - REJECTING ", net;
    >>
    >>         if is_own_internal_prefix() then {
    >>           if !prefix_is_in_global_whitelist() then
    >>             reject "prefix is our own and internal - REJECTING
    ", net;
    >>         }
    >>
    >>         if prefix_is_bogon() then
    >>           reject "prefix is bogon - REJECTING ", net;
    >>
    >>         if net.type = NET_IP4 then
    >>           if !is_prefix_length_valid(8, 24) then
    >>             reject "prefix len [", net.len, "] not in 8-24 -
    REJECTING ", net;
    >>
    >>         if net.type = NET_IP6 then
    >>           if !is_prefix_length_valid(12, 56) then
    >>             reject "prefix len [", net.len, "] not in 12-56 -
    REJECTING ", net;
    >>
    >>         #perform_rpki_validation();
    >>
    >>         if route_is_rpki_invalid() then
    >>           reject "RPKI, route is INVALID - REJECTING ", net;
    >>
    >>         add_region_community();
    >>         add_site_community();
    >>         honor_graceful_shutdown();
    >>
    >>         accept;
    >>     }
    >>
    >>     function peer_import() {
    >>         scrub_communities_in();
    >>         add_peer_community();
    >>         default_import();
    >>     }
    >>
    >>     function peer_export() {
    >>         strip_private_asns();
    >>         add_global_prepends();
    >>
    >>         if is_own_prefix() then accept;
    >>
    >>         if route_is_rpki_invalid() then
    >>           reject "RPKI, route is INVALID - NOT ANNOUNCING ", net;
    >>
    >>         if is_own_internal_prefix() then {
    >>           if !prefix_is_in_global_whitelist() then
    >>             reject "prefix is our own and internal - NOT
    ANNOUNCING ", net;
    >>         }
    >>
    >>         if net.type = NET_IP4 then
    >>           if !is_prefix_length_valid(8, 24) then
    >>             reject "prefix len [", net.len, "] not in 8-24 -
    REJECTING ", net;
    >>
    >>         if net.type = NET_IP6 then
    >>           if !is_prefix_length_valid(12, 48) then
    >>             reject "prefix len [", net.len, "] not in 12-48 -
    REJECTING ", net;
    >>
    >>         if prefix_is_bogon() then
    >>           reject "prefix is bogon - NOT ANNOUNCING ", net;
    >>
    >>         if as_path_contains_invalid_asn() then
    >>           reject "AS_PATH [", bgp_path ,"] contains invalid
    ASN - REJECTING
    >>     ", net;
    >>
    >>         if should_not_export_to_site() then
    >>           reject "NO_EXPORT community in place for site - NOT
    ANNOUNCING ", net;
    >>
    >>         if should_not_export_to_region() then
    >>           reject "NO_EXPORT community in place for region -
    NOT ANNOUNCING ",
    >>     net;
    >>
    >>         if should_not_export_to_peers() then
    >>           reject "NO_EXPORT community in place for peers - NOT
    ANNOUNCING ", net;
    >>
    >>         if prefix_is_in_global_blacklist() then
    >>           reject "prefix is in global blacklist - REJECTING ",
    net;
    >>
    >>         if was_learned_from_customer() then accept;
    >>
    >>         reject;
    >>     }
    >>
    >>     function upstream_import() {
    >>         scrub_communities_in();
    >>         add_upstream_community();
    >>         default_import();
    >>     }
    >>
    >>     function upstream_export() {
    >>         strip_private_asns();
    >>         add_global_prepends();
    >>
    >>         if is_own_prefix() then accept;
    >>
    >>         if route_is_rpki_invalid() then
    >>           reject "RPKI, route is INVALID - NOT ANNOUNCING ", net;
    >>
    >>         if is_own_internal_prefix() then {
    >>           if !prefix_is_in_global_whitelist() then
    >>             reject "prefix is our own and internal - NOT
    ANNOUNCING ", net;
    >>         }
    >>
    >>         if net.type = NET_IP4 then
    >>           if !is_prefix_length_valid(8, 24) then
    >>             reject "prefix len [", net.len, "] not in 8-24 -
    REJECTING ", net;
    >>
    >>         if net.type = NET_IP6 then
    >>           if !is_prefix_length_valid(12, 48) then
    >>             reject "prefix len [", net.len, "] not in 12-48 -
    REJECTING ", net;
    >>
    >>         if prefix_is_bogon() then
    >>           reject "prefix is bogon - NOT ANNOUNCING ", net;
    >>
    >>         if as_path_contains_invalid_asn() then
    >>           reject "AS_PATH [", bgp_path ,"] contains invalid
    ASN - REJECTING
    >>     ", net;
    >>
    >>         if should_not_export_to_site() then
    >>           reject "NO_EXPORT community in place for site - NOT
    ANNOUNCING ", net;
    >>
    >>         if should_not_export_to_region() then
    >>           reject "NO_EXPORT community in place for region -
    NOT ANNOUNCING ",
    >>     net;
    >>
    >>         if should_not_export_to_upstreams() then
    >>           reject "NO_EXPORT community in place for upstreams -
    NOT ANNOUNCING
    >>     ", net;
    >>
    >>         if prefix_is_in_global_blacklist() then
    >>           reject "prefix is in global blacklist - REJECTING ",
    net;
    >>
    >>         if was_learned_from_customer() then accept;
    >>
    >>         reject;
    >>     }
    >>
    >>     function customer_import() {
    >>         scrub_communities_in();
    >>         add_customer_community();
    >>         default_import();
    >>     }
    >>
    >>     function customer_export() {
    >>         strip_private_asns();
    >>         add_global_prepends();
    >>
    >>         if is_own_prefix() then accept;
    >>
    >>         if route_is_rpki_invalid() then
    >>           reject "RPKI, route is INVALID - NOT ANNOUNCING ", net;
    >>
    >>         if is_own_internal_prefix() then {
    >>           if !prefix_is_in_global_whitelist() then
    >>             reject "prefix is our own and internal - NOT
    ANNOUNCING ", net;
    >>         }
    >>
    >>         if net.type = NET_IP4 then
    >>           if !is_prefix_length_valid(8, 24) then
    >>             reject "prefix len [", net.len, "] not in 8-24 -
    REJECTING ", net;
    >>
    >>         if net.type = NET_IP6 then
    >>           if !is_prefix_length_valid(12, 48) then
    >>             reject "prefix len [", net.len, "] not in 12-48 -
    REJECTING ", net;
    >>
    >>         if prefix_is_bogon() then
    >>           reject "prefix is bogon - NOT ANNOUNCING ", net;
    >>
    >>         if as_path_contains_invalid_asn() then
    >>           reject "AS_PATH [", bgp_path ,"] contains invalid
    ASN - REJECTING
    >>     ", net;
    >>
    >>         if should_not_export_to_site() then
    >>           reject "NO_EXPORT community in place for site - NOT
    ANNOUNCING ", net;
    >>
    >>         if should_not_export_to_region() then
    >>           reject "NO_EXPORT community in place for region -
    NOT ANNOUNCING ",
    >>     net;
    >>
    >>         if should_not_export_to_customers() then
    >>           reject "NO_EXPORT community in place for customers -
    NOT ANNOUNCING
    >>     ", net;
    >>
    >>         if prefix_is_in_global_blacklist() then
    >>           reject "prefix is in global blacklist - REJECTING ",
    net;
    >>
    >>         if was_learned_from_peer() then accept;
    >>         if was_learned_from_private_peer() then accept;
    >>         if was_learned_from_upstream() then accept;
    >>         if was_learned_from_customer() then accept;
    >>
    >>         reject;
    >>     }
    >>
    >>     function core_import() {
    >>         if prefix_is_bogon() then reject;
    >>
    >>         if prefix_is_in_global_blacklist() then
    >>           reject "prefix is in global blacklist - REJECTING ",
    net;
    >>
    >>         honor_graceful_shutdown();
    >>         accept;
    >>     }
    >>
    >>     function core_export() {
    >>         if prefix_is_bogon() then reject;
    >>
    >>         if prefix_is_in_global_blacklist() then
    >>           reject "prefix is in global blacklist - REJECTING ",
    net;
    >>
    >>         if is_own_prefix() then accept;
    >>         if is_own_internal_prefix() then accept;
    >>         if was_learned_from_peer() then accept;
    >>         if was_learned_from_private_peer() then accept;
    >>         if was_learned_from_upstream() then accept;
    >>         if was_learned_from_customer() then accept;
    >>
    >>         reject;
    >>     }
    >>
    ------------------------------------------------------------------------
    >>     --
    >>     This email has been checked for viruses by Avast antivirus
    software.
    >> https://www.avast.com/antivirus <https://www.avast.com/antivirus>
    >>
    >>
    >> --
    >> Sent from my Android device with K-9 Mail. Please excuse my
    brevity.
    >
    >
    >
    ------------------------------------------------------------------------
    > Avast logo
    >
    
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient
    
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>>

    >
    >
    > This email has been checked for viruses by Avast antivirus
    software.
    > www.avast.com <http://www.avast.com>
    >
    
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient
    
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>>

    >
    >
    >
    > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>






--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus






















					Reply via email to